Distribution of network traffic to software defined network based probes
Abstract
In one example, a processor may receive network traffic from a demultiplexer via a first network interface card and place portions of the network traffic into a plurality of hash buckets. The processor may further process a first portion of the portions of the network traffic in at least a first hash bucket of the plurality of hash buckets and forward a second portion of the portions of the network traffic in at least a second hash bucket of the plurality of hash buckets to a switch via a second network interface card. In one example, the switch distributes the second portion of the network traffic to one of a plurality of overflow probes. In one example, the plurality of overflow probes comprises a network function virtualization infrastructure for processing the second portion of the network traffic.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A device comprising:
a processor; and
a computer-readable medium storing instructions which, when executed by the processor, cause the processor to perform operations, the operations comprising:
receiving network traffic from a demultiplexer via a first network interface card;
placing portions of the network traffic into a plurality of hash buckets in a memory;
processing a first portion of the portions of the network traffic in at least a first hash bucket of the plurality of hash buckets, wherein the device is configured with a maximum designated capacity to process at most the first portion of the portions of the network traffic in the at least the first hash bucket, wherein the maximum designated capacity is less than a physical capability of the device; and
forwarding a second portion of the portions of the network traffic in at least a second hash bucket of the plurality of hash buckets to a switch via a second network interface card, wherein the second portion of the portions of the network traffic comprises an overflow of the network traffic that is in excess of the maximum designated capacity of the device, wherein the switch distributes the second portion of the portions of the network traffic to one of a plurality of overflow probes, wherein the plurality of overflow probes comprises a network function virtualization infrastructure for processing the second portion of the portions of the network traffic.
2. The device of claim 1 , wherein the demultiplexer receives the network traffic from a tap for copying the network traffic from a link in a communication network.
3. The device of claim 2 , wherein the link comprise at least a 40 gigabits per second link, and wherein the network traffic is received from the demultiplexer at less or equal to 20 gigabits per second.
4. The device of claim 2 , wherein the device comprises one of a plurality of devices to receive different network traffic from the link via the demultiplexer.
5. The device of claim 1 , wherein the at least the first hash bucket comprises a subset of the plurality of hash buckets that includes multiple hash buckets, and wherein the maximum designated capacity is stated in terms of a number of hash buckets to be processed by the device.
6. The device of claim 1 , wherein the second portion of the portions of the network traffic in the at least the second hash bucket is forwarded to the switch when the device is at the maximum designated capacity.
7. The device of claim 1 , wherein the maximum designated capacity is selected based upon a number of overflow probes of the plurality of overflow probes that are available.
8. The device of claim 7 , wherein when the number of overflow probes of the plurality of overflow probes that are available increases, the maximum designated capacity is decreased.
9. The device of claim 7 , wherein the maximum designated capacity is not permitted to exceed the number of hash buckets in the plurality of hash buckets.
10. The device of claim 1 , wherein the placing the portions of the network traffic into the plurality of hash buckets comprises hash load balancing based upon internet protocol address information of the network traffic.
11. The device of claim 10 , wherein the hash load balancing is further based upon sub-internet protocol address information.
12. The device of claim 11 , wherein the sub-internet protocol address information comprises:
port numbers of the network traffic;
packet sizes of the network traffic;
datagram sizes of the network traffic; or
content types of the network traffic.
13. The device of claim 1 , wherein the processing the first portion of the portions of the network traffic comprises:
storing packets of the first portion of the portions of the network traffic;
generating aggregate link utilization information for a link from which the network traffic is copied; or
scanning the first portion of the portions of the network traffic for security issues.
14. The device of claim 1 , wherein the processing the second portion of the portions of the network traffic comprises:
storing packets of the second portion of the portions of the network traffic;
generating aggregate link utilization information for a link from which the network traffic is copied; or
scanning the second portion of the portions of the network traffic for security issues.
15. A non-transitory computer-readable medium storing instructions which, when executed by a processor of a server deployed in a communication network, cause the processor to perform operations, the operations comprising:
receiving network traffic from a demultiplexer via a first network interface card;
placing portions of the network traffic into a plurality of hash buckets in a memory;
processing a first portion of the portions of the network traffic in at least a first hash bucket of the plurality of hash buckets, wherein the server is configured with a maximum designated capacity to process at most the first portion of the portions of the network traffic in the at least the first hash bucket, wherein the maximum designated capacity is less than a physical capability of the server; and
forwarding a second portion of the portions of the network traffic in at least a second hash bucket of the plurality of hash buckets to a switch via a second network interface card, wherein the second portion of the portions of the network traffic comprises an overflow of the network traffic that is in excess of the maximum designated capacity of the server, wherein the switch distributes the second portion of the portions of the network traffic to one of a plurality of overflow probes, wherein the plurality of overflow probes comprises a network function virtualization infrastructure for processing the second portion of the portions of the network traffic.
16. The non-transitory computer-readable medium of claim 15 , wherein the second portion of the portions of the network traffic in the at least the second hash bucket is forwarded to the switch when the server is at the maximum designated capacity.
17. The non-transitory computer-readable medium of claim 16 , wherein the maximum designated capacity is selected based upon a number of overflow probes of the plurality of overflow probes that are available, wherein when the number of overflow probes of the plurality of overflow probes that are available increases, the maximum designated capacity is decreased.
18. A method comprising:
receiving, by a processor deployed in a communication network, network traffic from a demultiplexer via a first network interface card;
placing, by the processor, portions of the network traffic into a plurality of hash buckets in a memory;
processing, by the processor, a first portion of the portions of the network traffic in at least a first hash bucket of the plurality of hash buckets, wherein the processor is configured with a maximum designated capacity to process at most the first portion of the portions of the network traffic in the at least the first hash bucket, wherein the maximum designated capacity is less than a physical capability of the processor; and
forwarding, by the processor, a second portion of the portions of the network traffic in at least a second hash bucket of the plurality of hash buckets to a switch via a second network interface card, wherein the second portion of the portions of the network traffic comprises an overflow of the network traffic that is in excess of the maximum designated capacity of the processor, wherein the switch distributes the second portion of the portions of the network traffic to one of a plurality of overflow probes, wherein the plurality of overflow probes comprises a network function virtualization infrastructure for processing the second portion of the portions of the network traffic.
19. The method of claim 18 , wherein the maximum designated capacity is selected based upon a number of overflow probes of the plurality of overflow probes that are available.
20. The method of claim 19 , wherein when the number of overflow probes of the plurality of overflow probes that are available increases, the maximum designated capacity is decreased.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.